Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Rob Crittenden
Jeremy Tourville via FreeIPA-users wrote:
> I was doing some reading and troubleshooting
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
> which basically says:
> #1 ipa-cacert-manage renew
> #2 ipa-certupdate
> #3 certutil -L -d /etc/pki/pki-tomcat/alias (to test the certs)
>
> See my output. Step #1 and #3 work now but #2 still fails
>
>
> [root@utility certs]# ipa-certupdate
>
> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
> The ipa-certupdate command failed.
So update-ca-trust had no affect or was this run beforehand?
> [root@utility certs]# certutil -L -d /etc/pki/pik-tomcat/alias
>
> certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
> database.
It failed because of a typo, pik -> pki.
> [root@utility certs]# ipa-cacert-manage renew
>
> Renewing CA certificate, please wait
> CA certificate successfully renewed
> The ipa-cacert-manage command was successful
This renews the CA certificate. The CA is good for 20 years, you didn't
need to do this.
> [root@utility certs]# ipa-certupdate
>
> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
> The ipa-certupdate command failed.
We now have another CA certificate for IPA in the mix because of the
renewal.
>
> [root@utility certs]# certutil -L -d /etc/pki/pki-tomcat/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> Server-Cert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> IDM.NAC-ISSA.ORG IPA CA CTu,Cu,Cu
> [root@utility certs]# reboot
It isn't a problem with the CA. The system doesn't trust the CA for some
reason, though the openssl command verified that it is ok.
> [root@utility certs]# reboot
>
> [root@utility ~]# ipa-certupdate
>
> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
> The ipa-certupdate command failed.
You didn't happen to touch /etc/httpd/conf.d/ssl.conf did you?
rob
>
> [root@utility ~]# ipactl status
>
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten(a)redhat.com>
> *Sent:* Friday, September 10, 2021 9:49 AM
> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
> list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Jeremy Tourville wrote:
>> [root@utility certs]# curl https://utility.idm.nac-issa.org/
>> curl: (60) SSL certificate problem: self signed certificate in
>> certificate chain
>> More details here: https://curl.haxx.se/docs/sslcerts.html
>>
>> curl failed to verify the legitimacy of the server and therefore could not
>> establish a secure connection to it. To learn more about this situation and
>> how to fix it, please visit the web page mentioned above.
>>
>> [root@utility certs]# update-ca-trust
>>
>> [root@utility certs]# ausearch -m AVC -ts recent
>> <no matches>
>>
>> [root@utility certs]# ipa-healthcheck
>> -bash: ipa-healthcheck: command not found
>
> I should have mentioned, try the curl after running update-ca-trust.
>
> ipa-healthcheck is not installed by default, you'd need to install the
> {free}ipa-healthcheck package.
>
> rob
>
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Rob Crittenden <rcritten(a)redhat.com>
>> *Sent:* Friday, September 10, 2021 9:33 AM
>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
>> list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Florence Renaud <flo(a)redhat.com>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>> Jeremy Tourville wrote:
>>> [root@utility certs]# ipa-certupdate
>>> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>>> The ipa-certupdate command failed.
>>>
>>> Sort of a bad catch 22 I guess?
>>
>> Yeah, I was afraid of that.
>>
>> Let's walk through it. Try a simple command for another data point. I'm
>> not sure what we'd do with this but it will exercise the system-wide
>> trust as well:
>>
>> $ curl https://`hostname`/
>>
>> Rebuilding the CA trust db may help
>>
>> # update-ca-trust
>>
>> I suppose also look for AVCs in case something is way out-of-whack:
>>
>> # ausearch -m AVC -ts recent
>>
>> ipa-healthcheck may be something to try as well but you're likely to get
>> a crapton of false positives since it can't talk to the web interface.
>>
>> rob
>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rob Crittenden <rcritten(a)redhat.com>
>>> *Sent:* Friday, September 10, 2021 9:09 AM
>>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
>>> list <freeipa-users(a)lists.fedorahosted.org>
>>> *Cc:* Florence Renaud <flo(a)redhat.com>
>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>> running ipa-dns-install? (Was - Unable to start directory server after
>>> updates)
>>>
>>> Jeremy Tourville wrote:
>>>> Now I understand how to test the cert(s) after re-reading your comments
>>>> Rob and Flo 🙂
>>>>
>>>> [root@utility certs]# openssl verify -verbose -show_chain -CAfile
>>>> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt
>>>> /var/lib/ipa/certs/httpd.crt: OK
>>>> Chain:
>>>> depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted)
>>>> depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority
>>>
>>> I'd try running ipa-certupdate. I have the feeling some of the
>>> system-wide certificates are out-of-sync.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>>> *Sent:* Thursday, September 9, 2021 5:45 PM
>>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>>> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>>> running ipa-dns-install? (Was - Unable to start directory server after
>>>> updates)
>>>>
>>>> Oh wait!!! Which set of certs do I need to test against for my
>>>> certificate chain?
>>>> I realized I didn't include the proper path when testing. It should be
>>>> something like-
>>>>
>>>> # openssl verify -verbose -show_chain -CAfile <path to root or
>>>> intermediate cert> /etc/ipa/ca.crt
>>>> # openssl verify -verbose -show_chain -CAfile <path to root or
>>>> intermediate cert> /var/lib/ipa/certs/httpd.crt
>>>>
>>>> This would give you output (presuming you are using the correct set of
>>>> certs)
>>>> /etc/ipa/ca.crt: OK
>>>> /var/lib/ipa/certs/httpd.crt: OK
>>>>
>>>> Which path contains the intermediate or root CA certs I need to test
>>>> against?
>>>>
>>>> [root@utility ~]# ls -la | find / -name *.crt
>>>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
>>>> /etc/pki/ca-trust/source/ca-bundle.legacy.crt
>>>> /etc/pki/tls/certs/ca-bundle.crt
>>>> /etc/pki/tls/certs/ca-bundle.trust.crt
>>>> /etc/pki/tls/certs/localhost.crt
>>>> /etc/pki/pki-tomcat/alias/ca.crt
>>>> /etc/ipa/ca.crt
>>>> /etc/dirsrv/ssca/ca.crt
>>>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
>>>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
>>>> /var/lib/ipa/certs/httpd.crt
>>>> /var/kerberos/krb5kdc/kdc.crt
>>>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
>>>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
>>>> /usr/share/ipa/html/ca.crt
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>>> *Sent:* Thursday, September 9, 2021 3:13 PM
>>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>>> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>>> running ipa-dns-install? (Was - Unable to start directory server after
>>>> updates)
>>>>
>>>>>>>It isn't complaining that the certificate isn't valid, it's complaining
>>>> that it isn't trusted.
>>>> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I
>>>> was thinking about it wrong at the time of my reply.
>>>>
>>>> I attempted to verify trust-
>>>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
>>>> /etc/ipa/ca.crt
>>>> ^C
>>>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
>>>> /var/lib/ipa/certs/httpd.crt
>>>> ^C
>>>>
>>>> As you can see, no output, so yeah, they are not trusted.
>>>>
>>>>>>Where did httpd.crt come from/what issuer?
>>>> I recall not using a 3rd party CA. The certs were just self-signed when
>>>> the ipa server was initially built. I never did replace the certs as it
>>>> wasn't required for our situation.
>>>>
>>>> Next steps I guess would be to generate some new certs? Thoughts?
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Rob Crittenden <rcritten(a)redhat.com>
>>>> *Sent:* Thursday, September 9, 2021 12:53 PM
>>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>>> *Cc:* Florence Renaud <flo(a)redhat.com>; Jeremy Tourville
>>>> <jeremy_tourville(a)hotmail.com>
>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>>> running ipa-dns-install? (Was - Unable to start directory server after
>>>> updates)
>>>>
>>>> Jeremy Tourville via FreeIPA-users wrote:
>>>>> /var/lib/ipa/certs/httpd.crt
>>>>> looks valid and has a 3 year validity date starting from Nov 23, 2020
>>>>>
>>>>> /etc/ipa/ca.crt
>>>>> looks valid and has a 20 year validity date starting from Nov 23, 2020
>>>>
>>>> It isn't complaining that the certificate isn't valid, it's complaining
>>>> that it isn't trusted. You also need to look at the signer and ensure
>>>> that the system trusts it globally. Where did httpd.crt come from/what
>>>> issuer?
>>>>
>>>> You might try running:
>>>>
>>>> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
>>>> /var/lib/ipa/certs/httpd.crt
>>>>
>>>> See the default.conf(5) man page for a description of default.conf,
>>>> server.conf, etc. In this case server is a context so the configuration
>>>> only applies there.
>>>>
>>>> rob
>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Florence Renaud <flo(a)redhat.com>
>>>>> *Sent:* Tuesday, September 7, 2021 11:38 AM
>>>>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>>>> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>>>> running ipa-dns-install? (Was - Unable to start directory server after
>>>>> updates)
>>>>>
>>>>> Hi Jeremy,
>>>>>
>>>>> to enable debugging you can simply create /etc/ipa/server.conf if the
>>>>> file does not exist:
>>>>> # cat /etc/ipa/server.conf
>>>>> [global]
>>>>> debug=True
>>>>> # systemctl restart httpd
>>>>>
>>>>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
>>>>> examine its content with
>>>>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
>>>>> If the IPA deployment includes an embedded CA, the CA that issued the
>>>>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
>>>>> openssl command.
>>>>>
>>>>> flo
>>>>>
>>>>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
>>>>> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>>>>>
>>>>> I think I see the issue but I am unsure what to do to fix it. See
>>>>> below.
>>>>>
>>>>> To answer your question, yes I did accept the security exception.
>>>>>
>>>>> Also, I don't see a server.conf file at /etc/ipa so that I may
>>>>> enable debugging. What can you suggest for this issue?
>>>>>
>>>>>
>>>>> [root@utility ~]# ipactl status
>>>>> Directory Service: RUNNING
>>>>> krb5kdc Service: RUNNING
>>>>> kadmin Service: RUNNING
>>>>> named Service: RUNNING
>>>>> httpd Service: RUNNING
>>>>> ipa-custodia Service: RUNNING
>>>>> pki-tomcatd Service: RUNNING
>>>>> smb Service: RUNNING
>>>>> winbind Service: RUNNING
>>>>> ipa-otpd Service: RUNNING
>>>>> ipa-ods-exporter Service: STOPPED
>>>>> ods-enforcerd Service: RUNNING
>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>> ipa: INFO: The ipactl command was successful
>>>>>
>>>>> [root@utility ~]# kinit admin
>>>>> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>>>>>
>>>>> [root@utility ~]# klist
>>>>> Ticket cache: KCM:0:43616
>>>>> Default principal: admin(a)IDM.NAC-ISSA.ORG
>>>>> <mailto:admin@IDM.NAC-ISSA.ORG>
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 09/07/2021 10:59:23 09/08/2021 10:09:04
>>>>> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
>>>>> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>>>>>
>>>>> [root@utility ~]# ipa config-show
>>>>> ipa: ERROR: cannot connect to
>>>>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>>>>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
>>>>> *Sent:* Tuesday, September 7, 2021 10:47 AM
>>>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
>>>>> <mailto:freeipa-users@lists.fedorahosted.org>>
>>>>> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
>>>>> <mailto:jeremy_tourville@hotmail.com>>
>>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
>>>>> after running ipa-dns-install? (Was - Unable to start directory
>>>>> server after updates)
>>>>>
>>>>> Hi Jeremy,
>>>>> Did you accept the security exception displayed by the browser (I'm
>>>>> trying to eliminate obvious issues)?
>>>>> If nothing is displayed, can you check if ipa command-line is
>>>>> working as expected (for instance do "kinit admin; ipa config-show")?
>>>>> You may want to enable debug logs (add debug=True to the [global]
>>>>> section of /etc/ipa/server.conf and restart httpd service), retry
>>>>> WebUI authentication and check the generated logs in
>>>>> /var/log/http/error_log
>>>>>
>>>>> flo
>>>>>
>>>>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
>>>>> <freeipa-users(a)lists.fedorahosted.org
>>>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>>>
>>>>> OK,
>>>>> Why don't I see anything on the initial login page?
>>>>> All I see is the URL and the fact that the certificate is not
>>>>> trusted. The certificate is not expired yet. Not until Nov 2021.
>>>>> The login in page is mostly solid white with no login or
>>>>> password field.
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list --
>>>>> freeipa-users(a)lists.fedorahosted.org
>>>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>>>> To unsubscribe send an email to
>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>>>> Fedora Code of Conduct:
>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines:
>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>> Do not reply to spam on the list, report it:
>>>>> https://pagure.io/fedora-infrastructure
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
2 years, 7 months
- 2
- 1
Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Rob Crittenden
Jeremy Tourville wrote:
> [root@utility certs]# curl https://utility.idm.nac-issa.org/
> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
>
> [root@utility certs]# update-ca-trust
>
> [root@utility certs]# ausearch -m AVC -ts recent
> <no matches>
>
> [root@utility certs]# ipa-healthcheck
> -bash: ipa-healthcheck: command not found
I should have mentioned, try the curl after running update-ca-trust.
ipa-healthcheck is not installed by default, you'd need to install the
{free}ipa-healthcheck package.
rob
>
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten(a)redhat.com>
> *Sent:* Friday, September 10, 2021 9:33 AM
> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
> list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Jeremy Tourville wrote:
>> [root@utility certs]# ipa-certupdate
>> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>> The ipa-certupdate command failed.
>>
>> Sort of a bad catch 22 I guess?
>
> Yeah, I was afraid of that.
>
> Let's walk through it. Try a simple command for another data point. I'm
> not sure what we'd do with this but it will exercise the system-wide
> trust as well:
>
> $ curl https://`hostname`/
>
> Rebuilding the CA trust db may help
>
> # update-ca-trust
>
> I suppose also look for AVCs in case something is way out-of-whack:
>
> # ausearch -m AVC -ts recent
>
> ipa-healthcheck may be something to try as well but you're likely to get
> a crapton of false positives since it can't talk to the web interface.
>
> rob
>
>>
>> ------------------------------------------------------------------------
>> *From:* Rob Crittenden <rcritten(a)redhat.com>
>> *Sent:* Friday, September 10, 2021 9:09 AM
>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
>> list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Florence Renaud <flo(a)redhat.com>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>> Jeremy Tourville wrote:
>>> Now I understand how to test the cert(s) after re-reading your comments
>>> Rob and Flo 🙂
>>>
>>> [root@utility certs]# openssl verify -verbose -show_chain -CAfile
>>> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt
>>> /var/lib/ipa/certs/httpd.crt: OK
>>> Chain:
>>> depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted)
>>> depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority
>>
>> I'd try running ipa-certupdate. I have the feeling some of the
>> system-wide certificates are out-of-sync.
>>
>> rob
>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>> *Sent:* Thursday, September 9, 2021 5:45 PM
>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>> running ipa-dns-install? (Was - Unable to start directory server after
>>> updates)
>>>
>>> Oh wait!!! Which set of certs do I need to test against for my
>>> certificate chain?
>>> I realized I didn't include the proper path when testing. It should be
>>> something like-
>>>
>>> # openssl verify -verbose -show_chain -CAfile <path to root or
>>> intermediate cert> /etc/ipa/ca.crt
>>> # openssl verify -verbose -show_chain -CAfile <path to root or
>>> intermediate cert> /var/lib/ipa/certs/httpd.crt
>>>
>>> This would give you output (presuming you are using the correct set of
>>> certs)
>>> /etc/ipa/ca.crt: OK
>>> /var/lib/ipa/certs/httpd.crt: OK
>>>
>>> Which path contains the intermediate or root CA certs I need to test
>>> against?
>>>
>>> [root@utility ~]# ls -la | find / -name *.crt
>>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
>>> /etc/pki/ca-trust/source/ca-bundle.legacy.crt
>>> /etc/pki/tls/certs/ca-bundle.crt
>>> /etc/pki/tls/certs/ca-bundle.trust.crt
>>> /etc/pki/tls/certs/localhost.crt
>>> /etc/pki/pki-tomcat/alias/ca.crt
>>> /etc/ipa/ca.crt
>>> /etc/dirsrv/ssca/ca.crt
>>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
>>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
>>> /var/lib/ipa/certs/httpd.crt
>>> /var/kerberos/krb5kdc/kdc.crt
>>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
>>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
>>> /usr/share/ipa/html/ca.crt
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>> *Sent:* Thursday, September 9, 2021 3:13 PM
>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>> running ipa-dns-install? (Was - Unable to start directory server after
>>> updates)
>>>
>>>>>>It isn't complaining that the certificate isn't valid, it's complaining
>>> that it isn't trusted.
>>> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I
>>> was thinking about it wrong at the time of my reply.
>>>
>>> I attempted to verify trust-
>>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
>>> /etc/ipa/ca.crt
>>> ^C
>>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
>>> /var/lib/ipa/certs/httpd.crt
>>> ^C
>>>
>>> As you can see, no output, so yeah, they are not trusted.
>>>
>>>>>Where did httpd.crt come from/what issuer?
>>> I recall not using a 3rd party CA. The certs were just self-signed when
>>> the ipa server was initially built. I never did replace the certs as it
>>> wasn't required for our situation.
>>>
>>> Next steps I guess would be to generate some new certs? Thoughts?
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rob Crittenden <rcritten(a)redhat.com>
>>> *Sent:* Thursday, September 9, 2021 12:53 PM
>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>> *Cc:* Florence Renaud <flo(a)redhat.com>; Jeremy Tourville
>>> <jeremy_tourville(a)hotmail.com>
>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>> running ipa-dns-install? (Was - Unable to start directory server after
>>> updates)
>>>
>>> Jeremy Tourville via FreeIPA-users wrote:
>>>> /var/lib/ipa/certs/httpd.crt
>>>> looks valid and has a 3 year validity date starting from Nov 23, 2020
>>>>
>>>> /etc/ipa/ca.crt
>>>> looks valid and has a 20 year validity date starting from Nov 23, 2020
>>>
>>> It isn't complaining that the certificate isn't valid, it's complaining
>>> that it isn't trusted. You also need to look at the signer and ensure
>>> that the system trusts it globally. Where did httpd.crt come from/what
>>> issuer?
>>>
>>> You might try running:
>>>
>>> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
>>> /var/lib/ipa/certs/httpd.crt
>>>
>>> See the default.conf(5) man page for a description of default.conf,
>>> server.conf, etc. In this case server is a context so the configuration
>>> only applies there.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Florence Renaud <flo(a)redhat.com>
>>>> *Sent:* Tuesday, September 7, 2021 11:38 AM
>>>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>>> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>>> running ipa-dns-install? (Was - Unable to start directory server after
>>>> updates)
>>>>
>>>> Hi Jeremy,
>>>>
>>>> to enable debugging you can simply create /etc/ipa/server.conf if the
>>>> file does not exist:
>>>> # cat /etc/ipa/server.conf
>>>> [global]
>>>> debug=True
>>>> # systemctl restart httpd
>>>>
>>>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
>>>> examine its content with
>>>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
>>>> If the IPA deployment includes an embedded CA, the CA that issued the
>>>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
>>>> openssl command.
>>>>
>>>> flo
>>>>
>>>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
>>>> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>>>>
>>>> I think I see the issue but I am unsure what to do to fix it. See
>>>> below.
>>>>
>>>> To answer your question, yes I did accept the security exception.
>>>>
>>>> Also, I don't see a server.conf file at /etc/ipa so that I may
>>>> enable debugging. What can you suggest for this issue?
>>>>
>>>>
>>>> [root@utility ~]# ipactl status
>>>> Directory Service: RUNNING
>>>> krb5kdc Service: RUNNING
>>>> kadmin Service: RUNNING
>>>> named Service: RUNNING
>>>> httpd Service: RUNNING
>>>> ipa-custodia Service: RUNNING
>>>> pki-tomcatd Service: RUNNING
>>>> smb Service: RUNNING
>>>> winbind Service: RUNNING
>>>> ipa-otpd Service: RUNNING
>>>> ipa-ods-exporter Service: STOPPED
>>>> ods-enforcerd Service: RUNNING
>>>> ipa-dnskeysyncd Service: RUNNING
>>>> ipa: INFO: The ipactl command was successful
>>>>
>>>> [root@utility ~]# kinit admin
>>>> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>>>>
>>>> [root@utility ~]# klist
>>>> Ticket cache: KCM:0:43616
>>>> Default principal: admin(a)IDM.NAC-ISSA.ORG
>>>> <mailto:admin@IDM.NAC-ISSA.ORG>
>>>>
>>>> Valid starting Expires Service principal
>>>> 09/07/2021 10:59:23 09/08/2021 10:09:04
>>>> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
>>>> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>>>>
>>>> [root@utility ~]# ipa config-show
>>>> ipa: ERROR: cannot connect to
>>>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>>>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
>>>> *Sent:* Tuesday, September 7, 2021 10:47 AM
>>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users@lists.fedorahosted.org>>
>>>> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
>>>> <mailto:jeremy_tourville@hotmail.com>>
>>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
>>>> after running ipa-dns-install? (Was - Unable to start directory
>>>> server after updates)
>>>>
>>>> Hi Jeremy,
>>>> Did you accept the security exception displayed by the browser (I'm
>>>> trying to eliminate obvious issues)?
>>>> If nothing is displayed, can you check if ipa command-line is
>>>> working as expected (for instance do "kinit admin; ipa config-show")?
>>>> You may want to enable debug logs (add debug=True to the [global]
>>>> section of /etc/ipa/server.conf and restart httpd service), retry
>>>> WebUI authentication and check the generated logs in
>>>> /var/log/http/error_log
>>>>
>>>> flo
>>>>
>>>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
>>>> <freeipa-users(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>>
>>>> OK,
>>>> Why don't I see anything on the initial login page?
>>>> All I see is the URL and the fact that the certificate is not
>>>> trusted. The certificate is not expired yet. Not until Nov 2021.
>>>> The login in page is mostly solid white with no login or
>>>> password field.
>>>> _______________________________________________
>>>> FreeIPA-users mailing list --
>>>> freeipa-users(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>> Do not reply to spam on the list, report it:
>>>> https://pagure.io/fedora-infrastructure
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>>>
>>>
>>
>
2 years, 7 months
- 2
- 3
Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Rob Crittenden
Jeremy Tourville wrote:
> [root@utility certs]# ipa-certupdate
> cannot connect to 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
> The ipa-certupdate command failed.
>
> Sort of a bad catch 22 I guess?
Yeah, I was afraid of that.
Let's walk through it. Try a simple command for another data point. I'm
not sure what we'd do with this but it will exercise the system-wide
trust as well:
$ curl https://`hostname`/
Rebuilding the CA trust db may help
# update-ca-trust
I suppose also look for AVCs in case something is way out-of-whack:
# ausearch -m AVC -ts recent
ipa-healthcheck may be something to try as well but you're likely to get
a crapton of false positives since it can't talk to the web interface.
rob
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten(a)redhat.com>
> *Sent:* Friday, September 10, 2021 9:09 AM
> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>; FreeIPA users
> list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Jeremy Tourville wrote:
>> Now I understand how to test the cert(s) after re-reading your comments
>> Rob and Flo 🙂
>>
>> [root@utility certs]# openssl verify -verbose -show_chain -CAfile
>> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt
>> /var/lib/ipa/certs/httpd.crt: OK
>> Chain:
>> depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted)
>> depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority
>
> I'd try running ipa-certupdate. I have the feeling some of the
> system-wide certificates are out-of-sync.
>
> rob
>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>> *Sent:* Thursday, September 9, 2021 5:45 PM
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>> Oh wait!!! Which set of certs do I need to test against for my
>> certificate chain?
>> I realized I didn't include the proper path when testing. It should be
>> something like-
>>
>> # openssl verify -verbose -show_chain -CAfile <path to root or
>> intermediate cert> /etc/ipa/ca.crt
>> # openssl verify -verbose -show_chain -CAfile <path to root or
>> intermediate cert> /var/lib/ipa/certs/httpd.crt
>>
>> This would give you output (presuming you are using the correct set of
>> certs)
>> /etc/ipa/ca.crt: OK
>> /var/lib/ipa/certs/httpd.crt: OK
>>
>> Which path contains the intermediate or root CA certs I need to test
>> against?
>>
>> [root@utility ~]# ls -la | find / -name *.crt
>> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
>> /etc/pki/ca-trust/source/ca-bundle.legacy.crt
>> /etc/pki/tls/certs/ca-bundle.crt
>> /etc/pki/tls/certs/ca-bundle.trust.crt
>> /etc/pki/tls/certs/localhost.crt
>> /etc/pki/pki-tomcat/alias/ca.crt
>> /etc/ipa/ca.crt
>> /etc/dirsrv/ssca/ca.crt
>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
>> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
>> /var/lib/ipa/certs/httpd.crt
>> /var/kerberos/krb5kdc/kdc.crt
>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
>> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
>> /usr/share/ipa/html/ca.crt
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>> *Sent:* Thursday, September 9, 2021 3:13 PM
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>>>>>It isn't complaining that the certificate isn't valid, it's complaining
>> that it isn't trusted.
>> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I
>> was thinking about it wrong at the time of my reply.
>>
>> I attempted to verify trust-
>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
>> /etc/ipa/ca.crt
>> ^C
>> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
>> /var/lib/ipa/certs/httpd.crt
>> ^C
>>
>> As you can see, no output, so yeah, they are not trusted.
>>
>>>>Where did httpd.crt come from/what issuer?
>> I recall not using a 3rd party CA. The certs were just self-signed when
>> the ipa server was initially built. I never did replace the certs as it
>> wasn't required for our situation.
>>
>> Next steps I guess would be to generate some new certs? Thoughts?
>>
>> ------------------------------------------------------------------------
>> *From:* Rob Crittenden <rcritten(a)redhat.com>
>> *Sent:* Thursday, September 9, 2021 12:53 PM
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Florence Renaud <flo(a)redhat.com>; Jeremy Tourville
>> <jeremy_tourville(a)hotmail.com>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>> Jeremy Tourville via FreeIPA-users wrote:
>>> /var/lib/ipa/certs/httpd.crt
>>> looks valid and has a 3 year validity date starting from Nov 23, 2020
>>>
>>> /etc/ipa/ca.crt
>>> looks valid and has a 20 year validity date starting from Nov 23, 2020
>>
>> It isn't complaining that the certificate isn't valid, it's complaining
>> that it isn't trusted. You also need to look at the signer and ensure
>> that the system trusts it globally. Where did httpd.crt come from/what
>> issuer?
>>
>> You might try running:
>>
>> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
>> /var/lib/ipa/certs/httpd.crt
>>
>> See the default.conf(5) man page for a description of default.conf,
>> server.conf, etc. In this case server is a context so the configuration
>> only applies there.
>>
>> rob
>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Florence Renaud <flo(a)redhat.com>
>>> *Sent:* Tuesday, September 7, 2021 11:38 AM
>>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>>> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>>> running ipa-dns-install? (Was - Unable to start directory server after
>>> updates)
>>>
>>> Hi Jeremy,
>>>
>>> to enable debugging you can simply create /etc/ipa/server.conf if the
>>> file does not exist:
>>> # cat /etc/ipa/server.conf
>>> [global]
>>> debug=True
>>> # systemctl restart httpd
>>>
>>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
>>> examine its content with
>>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
>>> If the IPA deployment includes an embedded CA, the CA that issued the
>>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
>>> openssl command.
>>>
>>> flo
>>>
>>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
>>> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>>>
>>> I think I see the issue but I am unsure what to do to fix it. See
>>> below.
>>>
>>> To answer your question, yes I did accept the security exception.
>>>
>>> Also, I don't see a server.conf file at /etc/ipa so that I may
>>> enable debugging. What can you suggest for this issue?
>>>
>>>
>>> [root@utility ~]# ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> httpd Service: RUNNING
>>> ipa-custodia Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> smb Service: RUNNING
>>> winbind Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-ods-exporter Service: STOPPED
>>> ods-enforcerd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@utility ~]# kinit admin
>>> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>>>
>>> [root@utility ~]# klist
>>> Ticket cache: KCM:0:43616
>>> Default principal: admin(a)IDM.NAC-ISSA.ORG
>>> <mailto:admin@IDM.NAC-ISSA.ORG>
>>>
>>> Valid starting Expires Service principal
>>> 09/07/2021 10:59:23 09/08/2021 10:09:04
>>> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
>>> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>>>
>>> [root@utility ~]# ipa config-show
>>> ipa: ERROR: cannot connect to
>>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
>>> *Sent:* Tuesday, September 7, 2021 10:47 AM
>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
>>> <mailto:freeipa-users@lists.fedorahosted.org>>
>>> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
>>> <mailto:jeremy_tourville@hotmail.com>>
>>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
>>> after running ipa-dns-install? (Was - Unable to start directory
>>> server after updates)
>>>
>>> Hi Jeremy,
>>> Did you accept the security exception displayed by the browser (I'm
>>> trying to eliminate obvious issues)?
>>> If nothing is displayed, can you check if ipa command-line is
>>> working as expected (for instance do "kinit admin; ipa config-show")?
>>> You may want to enable debug logs (add debug=True to the [global]
>>> section of /etc/ipa/server.conf and restart httpd service), retry
>>> WebUI authentication and check the generated logs in
>>> /var/log/http/error_log
>>>
>>> flo
>>>
>>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
>>> <freeipa-users(a)lists.fedorahosted.org
>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>>
>>> OK,
>>> Why don't I see anything on the initial login page?
>>> All I see is the URL and the fact that the certificate is not
>>> trusted. The certificate is not expired yet. Not until Nov 2021.
>>> The login in page is mostly solid white with no login or
>>> password field.
>>> _______________________________________________
>>> FreeIPA-users mailing list --
>>> freeipa-users(a)lists.fedorahosted.org
>>> <mailto:freeipa-users@lists.fedorahosted.org>
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>>
>>
>
2 years, 7 months
- 2
- 2
Add second SSL to host
by Per Qvindesland
Hi
I am using the IPA server as the CA for our Apache SSL's, but I am wondering if it's possible to have a second SSL that's not the same as the hostname, meaning I have already sub1.mydomain.com but I would like to add also sub2.mydomain.com for another site, is this possible?
I have tried adding the hostname so ipa host-add sub2.mydomain.com then ipa service-add HTTP/sub2.mydomain.com, but when I do:
ipa-getcert request -K HTTP/sub2.mydomain.com -k /ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr -N sub2.mydomain.com then ipa-getcert list says it fails with:
status: CA_REJECTED
ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/sub2.mydomain.com(a)MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)
How can I resolve this?
Regards
Per
2 years, 7 months
- 2
- 3
Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Rob Crittenden
Jeremy Tourville wrote:
> Now I understand how to test the cert(s) after re-reading your comments
> Rob and Flo 🙂
>
> [root@utility certs]# openssl verify -verbose -show_chain -CAfile
> /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt
> /var/lib/ipa/certs/httpd.crt: OK
> Chain:
> depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted)
> depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority
I'd try running ipa-certupdate. I have the feeling some of the
system-wide certificates are out-of-sync.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Sent:* Thursday, September 9, 2021 5:45 PM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Oh wait!!! Which set of certs do I need to test against for my
> certificate chain?
> I realized I didn't include the proper path when testing. It should be
> something like-
>
> # openssl verify -verbose -show_chain -CAfile <path to root or
> intermediate cert> /etc/ipa/ca.crt
> # openssl verify -verbose -show_chain -CAfile <path to root or
> intermediate cert> /var/lib/ipa/certs/httpd.crt
>
> This would give you output (presuming you are using the correct set of
> certs)
> /etc/ipa/ca.crt: OK
> /var/lib/ipa/certs/httpd.crt: OK
>
> Which path contains the intermediate or root CA certs I need to test
> against?
>
> [root@utility ~]# ls -la | find / -name *.crt
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> /etc/pki/ca-trust/source/ca-bundle.legacy.crt
> /etc/pki/tls/certs/ca-bundle.crt
> /etc/pki/tls/certs/ca-bundle.trust.crt
> /etc/pki/tls/certs/localhost.crt
> /etc/pki/pki-tomcat/alias/ca.crt
> /etc/ipa/ca.crt
> /etc/dirsrv/ssca/ca.crt
> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
> /etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
> /var/lib/ipa/certs/httpd.crt
> /var/kerberos/krb5kdc/kdc.crt
> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
> /usr/share/ipa/html/ca.crt
>
>
> ------------------------------------------------------------------------
> *From:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Sent:* Thursday, September 9, 2021 3:13 PM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
>>>>It isn't complaining that the certificate isn't valid, it's complaining
> that it isn't trusted.
> Thanksfor pointing out my mistake. I'm wearing some egg on my face. I
> was thinking about it wrong at the time of my reply.
>
> I attempted to verify trust-
> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
> /etc/ipa/ca.crt
> ^C
> [root@utility ipa]# openssl verify -verbose -show_chain -CAfile
> /var/lib/ipa/certs/httpd.crt
> ^C
>
> As you can see, no output, so yeah, they are not trusted.
>
>>>Where did httpd.crt come from/what issuer?
> I recall not using a 3rd party CA. The certs were just self-signed when
> the ipa server was initially built. I never did replace the certs as it
> wasn't required for our situation.
>
> Next steps I guess would be to generate some new certs? Thoughts?
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten(a)redhat.com>
> *Sent:* Thursday, September 9, 2021 12:53 PM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Cc:* Florence Renaud <flo(a)redhat.com>; Jeremy Tourville
> <jeremy_tourville(a)hotmail.com>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Jeremy Tourville via FreeIPA-users wrote:
>> /var/lib/ipa/certs/httpd.crt
>> looks valid and has a 3 year validity date starting from Nov 23, 2020
>>
>> /etc/ipa/ca.crt
>> looks valid and has a 20 year validity date starting from Nov 23, 2020
>
> It isn't complaining that the certificate isn't valid, it's complaining
> that it isn't trusted. You also need to look at the signer and ensure
> that the system trusts it globally. Where did httpd.crt come from/what
> issuer?
>
> You might try running:
>
> openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
> /var/lib/ipa/certs/httpd.crt
>
> See the default.conf(5) man page for a description of default.conf,
> server.conf, etc. In this case server is a context so the configuration
> only applies there.
>
> rob
>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Florence Renaud <flo(a)redhat.com>
>> *Sent:* Tuesday, September 7, 2021 11:38 AM
>> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
>> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
>> running ipa-dns-install? (Was - Unable to start directory server after
>> updates)
>>
>> Hi Jeremy,
>>
>> to enable debugging you can simply create /etc/ipa/server.conf if the
>> file does not exist:
>> # cat /etc/ipa/server.conf
>> [global]
>> debug=True
>> # systemctl restart httpd
>>
>> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
>> examine its content with
>> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
>> If the IPA deployment includes an embedded CA, the CA that issued the
>> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
>> openssl command.
>>
>> flo
>>
>> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
>> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>>
>> I think I see the issue but I am unsure what to do to fix it. See
>> below.
>>
>> To answer your question, yes I did accept the security exception.
>>
>> Also, I don't see a server.conf file at /etc/ipa so that I may
>> enable debugging. What can you suggest for this issue?
>>
>>
>> [root@utility ~]# ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> httpd Service: RUNNING
>> ipa-custodia Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> smb Service: RUNNING
>> winbind Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-ods-exporter Service: STOPPED
>> ods-enforcerd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> [root@utility ~]# kinit admin
>> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>>
>> [root@utility ~]# klist
>> Ticket cache: KCM:0:43616
>> Default principal: admin(a)IDM.NAC-ISSA.ORG
>> <mailto:admin@IDM.NAC-ISSA.ORG>
>>
>> Valid starting Expires Service principal
>> 09/07/2021 10:59:23 09/08/2021 10:09:04
>> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
>> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>>
>> [root@utility ~]# ipa config-show
>> ipa: ERROR: cannot connect to
>> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
>> *Sent:* Tuesday, September 7, 2021 10:47 AM
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>>
>> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
>> <mailto:jeremy_tourville@hotmail.com>>
>> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
>> after running ipa-dns-install? (Was - Unable to start directory
>> server after updates)
>>
>> Hi Jeremy,
>> Did you accept the security exception displayed by the browser (I'm
>> trying to eliminate obvious issues)?
>> If nothing is displayed, can you check if ipa command-line is
>> working as expected (for instance do "kinit admin; ipa config-show")?
>> You may want to enable debug logs (add debug=True to the [global]
>> section of /etc/ipa/server.conf and restart httpd service), retry
>> WebUI authentication and check the generated logs in
>> /var/log/http/error_log
>>
>> flo
>>
>> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
>> <freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>> OK,
>> Why don't I see anything on the initial login page?
>> All I see is the URL and the fact that the certificate is not
>> trusted. The certificate is not expired yet. Not until Nov 2021.
>> The login in page is mostly solid white with no login or
>> password field.
>> _______________________________________________
>> FreeIPA-users mailing list --
>> freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>
>
2 years, 7 months
- 2
- 1
Upgrade FreeIPA cluster from v4.6 (el7) to v4.9 (el8)
by Mikhail Kiselev
Hi. I want to upgrade a cluster from 4.6 to 4.9
To do this, I raised the host with EL8 and launched ipa-client-install
is this the right way, without data loss and service downtime?
In the logs:
tail -f /var/log/dirsrv/slapd-OPENTECH-LOCAL/access
[02/Sep/2021:20:09:48.282984535 +0700] conn=84 op=6 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses"
[02/Sep/2021:20:09:48.366825074 +0700] conn=84 op=6 RESULT err=0 tag=101 nentries=1 wtime=0.000158968 optime=0.083844272 etime=0.083999242
[02/Sep/2021:20:09:48.368297195 +0700] conn=84 op=7 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes"
[02/Sep/2021:20:09:48.455352207 +0700] conn=84 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000181242 optime=0.087049680 etime=0.087227596
[02/Sep/2021:20:09:48.598806315 +0700] conn=84 op=8 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses"
[02/Sep/2021:20:09:48.682435023 +0700] conn=84 op=8 RESULT err=0 tag=101 nentries=1 wtime=0.000253118 optime=0.083640981 etime=0.083890259
[02/Sep/2021:20:09:48.683959959 +0700] conn=84 op=9 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes"
[02/Sep/2021:20:09:48.770110056 +0700] conn=84 op=9 RESULT err=0 tag=101 nentries=1 wtime=0.000208691 optime=0.086154930 etime=0.086360171
[02/Sep/2021:20:09:48.909866069 +0700] conn=84 op=10 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[02/Sep/2021:20:09:48.912490317 +0700] conn=84 op=10 RESULT err=0 tag=120 nentries=0 wtime=0.000289908 optime=0.002650238 etime=0.002936579
[02/Sep/2021:20:10:48.922904521 +0700] conn=84 op=11 UNBIND
[02/Sep/2021:20:10:48.922965013 +0700] conn=84 op=11 fd=66 closed error - U1
[02/Sep/2021:20:14:48.918514584 +0700] conn=85 fd=66 slot=66 connection from 100.100.101.32 to 100.100.101.40
[02/Sep/2021:20:14:48.919643414 +0700] conn=85 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[02/Sep/2021:20:14:48.924271354 +0700] conn=85 op=0 RESULT err=14 tag=97 nentries=0 wtime=0.000226790 optime=0.004647939 etime=0.004872681, SASL bind in progress
[02/Sep/2021:20:14:48.924947480 +0700] conn=85 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[02/Sep/2021:20:14:48.926146732 +0700] conn=85 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000108403 optime=0.001218993 etime=0.001325062, SASL bind in progress
[02/Sep/2021:20:14:48.926456549 +0700] conn=85 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[02/Sep/2021:20:14:48.928285095 +0700] conn=85 op=2 RESULT err=0 tag=97 nentries=0 wtime=0.000100271 optime=0.001837886 etime=0.001936360 dn="cn=ldap/ipa.opentech.local(a)opentech.local,cn=config"
[02/Sep/2021:20:14:48.928732360 +0700] conn=85 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[02/Sep/2021:20:14:48.930310374 +0700] conn=85 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000268088 optime=0.001582573 etime=0.001848120
[02/Sep/2021:20:14:48.930713077 +0700] conn=85 op=4 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[02/Sep/2021:20:14:48.931502374 +0700] conn=85 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000163012 optime=0.000794216 etime=0.000955217
[02/Sep/2021:20:14:48.931924135 +0700] conn=85 op=5 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[02/Sep/2021:20:14:48.932420631 +0700] conn=85 op=5 RESULT err=0 tag=120 nentries=0 wtime=0.000175640 optime=0.000511504 etime=0.000685664
[02/Sep/2021:20:14:48.933224132 +0700] conn=85 op=6 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses"
[02/Sep/2021:20:14:49.020265304 +0700] conn=85 op=6 RESULT err=0 tag=101 nentries=1 wtime=0.000292725 optime=0.087050480 etime=0.087328584
[02/Sep/2021:20:14:49.021831595 +0700] conn=85 op=7 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes"
[02/Sep/2021:20:14:49.108675770 +0700] conn=85 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000198623 optime=0.086851160 etime=0.087044647
[02/Sep/2021:20:14:49.302421780 +0700] conn=85 op=8 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="objectClasses"
[02/Sep/2021:20:14:49.386806785 +0700] conn=85 op=8 RESULT err=0 tag=101 nentries=1 wtime=0.000241187 optime=0.084394151 etime=0.084629811
[02/Sep/2021:20:14:49.388020857 +0700] conn=85 op=9 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes"
[02/Sep/2021:20:14:49.472898588 +0700] conn=85 op=9 RESULT err=0 tag=101 nentries=1 wtime=0.000201533 optime=0.084883308 etime=0.085081048
[02/Sep/2021:20:14:49.673264389 +0700] conn=85 op=10 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[02/Sep/2021:20:14:49.675188470 +0700] conn=85 op=10 RESULT err=0 tag=120 nentries=0 wtime=0.000182362 optime=0.001932648 etime=0.002112039
[02/Sep/2021:20:15:49.686722184 +0700] conn=85 op=11 UNBIND
[02/Sep/2021:20:15:49.686787256 +0700] conn=85 op=11 fd=66 closed error - U1
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/38]: creating directory server instance
[2/38]: tune ldbm plugin
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configure password logging
[7/38]: configuring replication version plugin
[8/38]: enabling IPA enrollment plugin
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: configuring topology plugin
[16/38]: creating indices
[17/38]: enabling referential integrity plugin
[18/38]: configuring certmap.conf
[19/38]: configure new location for managed entries
[20/38]: configure dirsrv ccache and keytab
[21/38]: enabling SASL mapping fallback
[22/38]: restarting directory server
[23/38]: creating DS keytab
[24/38]: ignore time skew for initial replication
[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 12194 seconds elapsed
2 years, 7 months
- 3
- 7
Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Jeremy Tourville
Now I understand how to test the cert(s) after re-reading your comments Rob and Flo 🙂
[root@utility certs]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt /var/lib/ipa/certs/httpd.crt
/var/lib/ipa/certs/httpd.crt: OK
Chain:
depth=0: O = IDM.NAC-ISSA.ORG, CN = utility.idm.nac-issa.org (untrusted)
depth=1: O = IDM.NAC-ISSA.ORG, CN = Certificate Authority
________________________________
From: Jeremy Tourville <jeremy_tourville(a)hotmail.com>
Sent: Thursday, September 9, 2021 5:45 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Oh wait!!! Which set of certs do I need to test against for my certificate chain?
I realized I didn't include the proper path when testing. It should be something like-
# openssl verify -verbose -show_chain -CAfile <path to root or intermediate cert> /etc/ipa/ca.crt
# openssl verify -verbose -show_chain -CAfile <path to root or intermediate cert> /var/lib/ipa/certs/httpd.crt
This would give you output (presuming you are using the correct set of certs)
/etc/ipa/ca.crt: OK
/var/lib/ipa/certs/httpd.crt: OK
Which path contains the intermediate or root CA certs I need to test against?
[root@utility ~]# ls -la | find / -name *.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/pki/tls/certs/localhost.crt
/etc/pki/pki-tomcat/alias/ca.crt
/etc/ipa/ca.crt
/etc/dirsrv/ssca/ca.crt
/etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
/etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
/var/lib/ipa/certs/httpd.crt
/var/kerberos/krb5kdc/kdc.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
/usr/share/ipa/html/ca.crt
________________________________
From: Jeremy Tourville <jeremy_tourville(a)hotmail.com>
Sent: Thursday, September 9, 2021 3:13 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
>>>It isn't complaining that the certificate isn't valid, it's complaining that it isn't trusted.
Thanks for pointing out my mistake. I'm wearing some egg on my face. I was thinking about it wrong at the time of my reply.
I attempted to verify trust-
[root@utility ipa]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
^C
[root@utility ipa]# openssl verify -verbose -show_chain -CAfile /var/lib/ipa/certs/httpd.crt
^C
As you can see, no output, so yeah, they are not trusted.
>>Where did httpd.crt come from/what issuer?
I recall not using a 3rd party CA. The certs were just self-signed when the ipa server was initially built. I never did replace the certs as it wasn't required for our situation.
Next steps I guess would be to generate some new certs? Thoughts?
________________________________
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Thursday, September 9, 2021 12:53 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Jeremy Tourville <jeremy_tourville(a)hotmail.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Jeremy Tourville via FreeIPA-users wrote:
> /var/lib/ipa/certs/httpd.crt
> looks valid and has a 3 year validity date starting from Nov 23, 2020
>
> /etc/ipa/ca.crt
> looks valid and has a 20 year validity date starting from Nov 23, 2020
It isn't complaining that the certificate isn't valid, it's complaining
that it isn't trusted. You also need to look at the signer and ensure
that the system trusts it globally. Where did httpd.crt come from/what
issuer?
You might try running:
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
/var/lib/ipa/certs/httpd.crt
See the default.conf(5) man page for a description of default.conf,
server.conf, etc. In this case server is a context so the configuration
only applies there.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Florence Renaud <flo(a)redhat.com>
> *Sent:* Tuesday, September 7, 2021 11:38 AM
> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Hi Jeremy,
>
> to enable debugging you can simply create /etc/ipa/server.conf if the
> file does not exist:
> # cat /etc/ipa/server.conf
> [global]
> debug=True
> # systemctl restart httpd
>
> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
> examine its content with
> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
> If the IPA deployment includes an embedded CA, the CA that issued the
> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
> openssl command.
>
> flo
>
> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>
> I think I see the issue but I am unsure what to do to fix it. See
> below.
>
> To answer your question, yes I did accept the security exception.
>
> Also, I don't see a server.conf file at /etc/ipa so that I may
> enable debugging. What can you suggest for this issue?
>
>
> [root@utility ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> [root@utility ~]# kinit admin
> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>
> [root@utility ~]# klist
> Ticket cache: KCM:0:43616
> Default principal: admin(a)IDM.NAC-ISSA.ORG
> <mailto:admin@IDM.NAC-ISSA.ORG>
>
> Valid starting Expires Service principal
> 09/07/2021 10:59:23 09/08/2021 10:09:04
> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>
> [root@utility ~]# ipa config-show
> ipa: ERROR: cannot connect to
> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>
>
> ------------------------------------------------------------------------
> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
> *Sent:* Tuesday, September 7, 2021 10:47 AM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
> <mailto:jeremy_tourville@hotmail.com>>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
> after running ipa-dns-install? (Was - Unable to start directory
> server after updates)
>
> Hi Jeremy,
> Did you accept the security exception displayed by the browser (I'm
> trying to eliminate obvious issues)?
> If nothing is displayed, can you check if ipa command-line is
> working as expected (for instance do "kinit admin; ipa config-show")?
> You may want to enable debug logs (add debug=True to the [global]
> section of /etc/ipa/server.conf and restart httpd service), retry
> WebUI authentication and check the generated logs in
> /var/log/http/error_log
>
> flo
>
> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> OK,
> Why don't I see anything on the initial login page?
> All I see is the URL and the fact that the certificate is not
> trusted. The certificate is not expired yet. Not until Nov 2021.
> The login in page is mostly solid white with no login or
> password field.
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
2 years, 7 months
- 1
- 0
Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Jeremy Tourville
Oh wait!!! Which set of certs do I need to test against for my certificate chain?
I realized I didn't include the proper path when testing. It should be something like-
# openssl verify -verbose -show_chain -CAfile <path to root or intermediate cert> /etc/ipa/ca.crt
# openssl verify -verbose -show_chain -CAfile <path to root or intermediate cert> /var/lib/ipa/certs/httpd.crt
This would give you output (presuming you are using the correct set of certs)
/etc/ipa/ca.crt: OK
/var/lib/ipa/certs/httpd.crt: OK
Which path contains the intermediate or root CA certs I need to test against?
[root@utility ~]# ls -la | find / -name *.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/pki/tls/certs/localhost.crt
/etc/pki/pki-tomcat/alias/ca.crt
/etc/ipa/ca.crt
/etc/dirsrv/ssca/ca.crt
/etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/Server-Cert.crt
/etc/dirsrv/slapd-IDM-NAC-ISSA-ORG/ca.crt
/var/lib/ipa/certs/httpd.crt
/var/kerberos/krb5kdc/kdc.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
/usr/share/ipa/html/ca.crt
________________________________
From: Jeremy Tourville <jeremy_tourville(a)hotmail.com>
Sent: Thursday, September 9, 2021 3:13 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
>>>It isn't complaining that the certificate isn't valid, it's complaining that it isn't trusted.
Thanks for pointing out my mistake. I'm wearing some egg on my face. I was thinking about it wrong at the time of my reply.
I attempted to verify trust-
[root@utility ipa]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
^C
[root@utility ipa]# openssl verify -verbose -show_chain -CAfile /var/lib/ipa/certs/httpd.crt
^C
As you can see, no output, so yeah, they are not trusted.
>>Where did httpd.crt come from/what issuer?
I recall not using a 3rd party CA. The certs were just self-signed when the ipa server was initially built. I never did replace the certs as it wasn't required for our situation.
Next steps I guess would be to generate some new certs? Thoughts?
________________________________
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Thursday, September 9, 2021 12:53 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Florence Renaud <flo(a)redhat.com>; Jeremy Tourville <jeremy_tourville(a)hotmail.com>
Subject: Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
Jeremy Tourville via FreeIPA-users wrote:
> /var/lib/ipa/certs/httpd.crt
> looks valid and has a 3 year validity date starting from Nov 23, 2020
>
> /etc/ipa/ca.crt
> looks valid and has a 20 year validity date starting from Nov 23, 2020
It isn't complaining that the certificate isn't valid, it's complaining
that it isn't trusted. You also need to look at the signer and ensure
that the system trusts it globally. Where did httpd.crt come from/what
issuer?
You might try running:
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
/var/lib/ipa/certs/httpd.crt
See the default.conf(5) man page for a description of default.conf,
server.conf, etc. In this case server is a context so the configuration
only applies there.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Florence Renaud <flo(a)redhat.com>
> *Sent:* Tuesday, September 7, 2021 11:38 AM
> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Hi Jeremy,
>
> to enable debugging you can simply create /etc/ipa/server.conf if the
> file does not exist:
> # cat /etc/ipa/server.conf
> [global]
> debug=True
> # systemctl restart httpd
>
> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
> examine its content with
> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
> If the IPA deployment includes an embedded CA, the CA that issued the
> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
> openssl command.
>
> flo
>
> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>
> I think I see the issue but I am unsure what to do to fix it. See
> below.
>
> To answer your question, yes I did accept the security exception.
>
> Also, I don't see a server.conf file at /etc/ipa so that I may
> enable debugging. What can you suggest for this issue?
>
>
> [root@utility ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> [root@utility ~]# kinit admin
> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>
> [root@utility ~]# klist
> Ticket cache: KCM:0:43616
> Default principal: admin(a)IDM.NAC-ISSA.ORG
> <mailto:admin@IDM.NAC-ISSA.ORG>
>
> Valid starting Expires Service principal
> 09/07/2021 10:59:23 09/08/2021 10:09:04
> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>
> [root@utility ~]# ipa config-show
> ipa: ERROR: cannot connect to
> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>
>
> ------------------------------------------------------------------------
> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
> *Sent:* Tuesday, September 7, 2021 10:47 AM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
> <mailto:jeremy_tourville@hotmail.com>>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
> after running ipa-dns-install? (Was - Unable to start directory
> server after updates)
>
> Hi Jeremy,
> Did you accept the security exception displayed by the browser (I'm
> trying to eliminate obvious issues)?
> If nothing is displayed, can you check if ipa command-line is
> working as expected (for instance do "kinit admin; ipa config-show")?
> You may want to enable debug logs (add debug=True to the [global]
> section of /etc/ipa/server.conf and restart httpd service), retry
> WebUI authentication and check the generated logs in
> /var/log/http/error_log
>
> flo
>
> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> OK,
> Why don't I see anything on the initial login page?
> All I see is the URL and the fact that the certificate is not
> trusted. The certificate is not expired yet. Not until Nov 2021.
> The login in page is mostly solid white with no login or
> password field.
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
2 years, 7 months
- 1
- 0
Re: Why is ipa-ods-exporter broken after running ipa-dns-install? (Was - Unable to start directory server after updates)
by Rob Crittenden
Jeremy Tourville via FreeIPA-users wrote:
> /var/lib/ipa/certs/httpd.crt
> looks valid and has a 3 year validity date starting from Nov 23, 2020
>
> /etc/ipa/ca.crt
> looks valid and has a 20 year validity date starting from Nov 23, 2020
It isn't complaining that the certificate isn't valid, it's complaining
that it isn't trusted. You also need to look at the signer and ensure
that the system trusts it globally. Where did httpd.crt come from/what
issuer?
You might try running:
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt
/var/lib/ipa/certs/httpd.crt
See the default.conf(5) man page for a description of default.conf,
server.conf, etc. In this case server is a context so the configuration
only applies there.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Florence Renaud <flo(a)redhat.com>
> *Sent:* Tuesday, September 7, 2021 11:38 AM
> *To:* Jeremy Tourville <jeremy_tourville(a)hotmail.com>
> *Cc:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken after
> running ipa-dns-install? (Was - Unable to start directory server after
> updates)
>
> Hi Jeremy,
>
> to enable debugging you can simply create /etc/ipa/server.conf if the
> file does not exist:
> # cat /etc/ipa/server.conf
> [global]
> debug=True
> # systemctl restart httpd
>
> The HTTPd certificate is stored in /var/lib/ipa/certs/httpd.crt, you can
> examine its content with
> # openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt
> If the IPA deployment includes an embedded CA, the CA that issued the
> httpd cert is stored in /etc/ipa/ca.crt and can also be checked with
> openssl command.
>
> flo
>
> On Tue, Sep 7, 2021 at 6:09 PM Jeremy Tourville
> <jeremy_tourville(a)hotmail.com <mailto:jeremy_tourville@hotmail.com>> wrote:
>
> I think I see the issue but I am unsure what to do to fix it. See
> below.
>
> To answer your question, yes I did accept the security exception.
>
> Also, I don't see a server.conf file at /etc/ipa so that I may
> enable debugging. What can you suggest for this issue?
>
>
> [root@utility ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-ods-exporter Service: STOPPED
> ods-enforcerd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> [root@utility ~]# kinit admin
> Password for admin(a)IDM.NAC-ISSA.ORG <mailto:admin@IDM.NAC-ISSA.ORG>:
>
> [root@utility ~]# klist
> Ticket cache: KCM:0:43616
> Default principal: admin(a)IDM.NAC-ISSA.ORG
> <mailto:admin@IDM.NAC-ISSA.ORG>
>
> Valid starting Expires Service principal
> 09/07/2021 10:59:23 09/08/2021 10:09:04
> krbtgt/IDM.NAC-ISSA.ORG(a)IDM.NAC-ISSA.ORG
> <mailto:IDM.NAC-ISSA.ORG@IDM.NAC-ISSA.ORG>
>
> [root@utility ~]# ipa config-show
> ipa: ERROR: cannot connect to
> 'https://utility.idm.nac-issa.org/ipa/json': [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
>
>
> ------------------------------------------------------------------------
> *From:* Florence Renaud <flo(a)redhat.com <mailto:flo@redhat.com>>
> *Sent:* Tuesday, September 7, 2021 10:47 AM
> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> *Cc:* Jeremy Tourville <jeremy_tourville(a)hotmail.com
> <mailto:jeremy_tourville@hotmail.com>>
> *Subject:* Re: [Freeipa-users] Re: Why is ipa-ods-exporter broken
> after running ipa-dns-install? (Was - Unable to start directory
> server after updates)
>
> Hi Jeremy,
> Did you accept the security exception displayed by the browser (I'm
> trying to eliminate obvious issues)?
> If nothing is displayed, can you check if ipa command-line is
> working as expected (for instance do "kinit admin; ipa config-show")?
> You may want to enable debug logs (add debug=True to the [global]
> section of /etc/ipa/server.conf and restart httpd service), retry
> WebUI authentication and check the generated logs in
> /var/log/http/error_log
>
> flo
>
> On Tue, Sep 7, 2021 at 2:01 PM Jeremy Tourville via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> OK,
> Why don't I see anything on the initial login page?
> All I see is the URL and the fact that the certificate is not
> trusted. The certificate is not expired yet. Not until Nov 2021.
> The login in page is mostly solid white with no login or
> password field.
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
2 years, 7 months
- 2
- 1
FreeIPA - Replica - Install
by Mathias Rumbold
Hello Community!
I am trying to add a new Fedora 34 server as secondary master. The idm01 is still Fedora 33 but versions are the same as I can see.
The issue I am hitting is by installing the replication (Client works fine).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Log files:
2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa.conf' doesn't exist
2021-09-08T11:33:07Z DEBUG Backing up system configuration file '/etc/httpd/conf.d/ipa-rewrite.conf'
2021-09-08T11:33:07Z DEBUG -> Not backing up - '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
2021-09-08T11:33:07Z DEBUG step duration: httpd __configure_http 0.26 sec
2021-09-08T11:33:07Z DEBUG [10/21]: setting up httpd keytab
2021-09-08T11:33:07Z DEBUG raw: service_add('HTTP/idm02.example.com(a)example.com', force=True, version='2.242')
2021-09-08T11:33:07Z DEBUG service_add(ipapython.kerberos.Principal('HTTP/idm02.example.com(a)example.com'), force=True, skip_host_check=False, all=False, raw=False, version='2.242', no_members=False)
2021-09-08T11:33:07Z DEBUG flushing ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket from SchemaCache
2021-09-08T11:33:07Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fb640f00160>
2021-09-08T11:33:08Z DEBUG raw: host_show('idm02.example.com', version='2.242')
2021-09-08T11:33:08Z DEBUG host_show('idm02.example.com', rights=False, all=False, raw=False, version='2.242', no_members=False)
2021-09-08T11:33:08Z DEBUG Backing up system configuration file '/var/lib/ipa/gssproxy/http.keytab'
2021-09-08T11:33:08Z DEBUG -> Not backing up - '/var/lib/ipa/gssproxy/http.keytab' doesn't exist
2021-09-08T11:33:08Z DEBUG Starting external process
2021-09-08T11:33:08Z DEBUG args=['/usr/sbin/ipa-getkeytab', '-k', '/var/lib/ipa/gssproxy/http.keytab', '-p', 'HTTP/idm02.example.com(a)example.com', '-H', 'ldapi://%2Frun%2Fslapd-TALHEIM-IT-AT.socket', '-Y', 'EXTERNAL']
2021-09-08T11:33:08Z DEBUG Process finished, return code=0
2021-09-08T11:33:08Z DEBUG stdout=
2021-09-08T11:33:08Z DEBUG stderr=Keytab successfully retrieved and stored in: /var/lib/ipa/gssproxy/http.keytab
2021-09-08T11:33:08Z DEBUG Waiting up to 300 seconds for replication (ldap://idm01.example.com:389) krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at (objectclass=*)
2021-09-08T11:33:09Z DEBUG Entry found [LDAPEntry(ipapython.dn.DN('krbprincipalname=HTTP/idm02.example.com(a)example.com,cn=services,cn=accounts,dc=talheim-it,dc=at'), {'krbLastPwdChange': [b'20210908113308Z'], 'krbCanonicalName': [b'HTTP/idm02.example.com(a)example.com'], 'objectClass': [b'krbprincipal', b'krbprincipalaux', b'krbticketpolicyaux', b'ipaobject', b'ipaservice', b'pkiuser', b'ipakrbprincipal', b'top'], 'managedBy': [b'fqdn=idm02.example.com,cn=computers,cn=accounts,dc=talheim-it,dc=at'], 'ipaKrbPrincipalAlias': [b'HTTP/idm02.example.com(a)example.com'], 'krbPrincipalName': [b'HTTP/idm02.example.com(a)example.com'], 'ipaUniqueID': [b'8a3a99ec-1098-11ec-b7a5-860000d9fd13']})]
2021-09-08T11:33:09Z DEBUG step duration: httpd request_service_keytab 1.56 sec
2021-09-08T11:33:09Z DEBUG [11/21]: configuring Gssproxy
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/usr/sbin/selinuxenabled']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Starting external process
2021-09-08T11:33:09Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service']
2021-09-08T11:33:09Z DEBUG Process finished, return code=0
2021-09-08T11:33:09Z DEBUG stdout=active
2021-09-08T11:33:09Z DEBUG stderr=
2021-09-08T11:33:09Z DEBUG Restart of gssproxy.service complete
2021-09-08T11:33:09Z DEBUG step duration: httpd configure_gssproxy 0.09 sec
2021-09-08T11:33:09Z DEBUG [12/21]: setting up ssl
2021-09-08T11:33:09Z DEBUG certmonger request is in state 'GENERATING_KEY_PAIR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:10Z DEBUG Cert request 20210908113309 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:10Z DEBUG Giving up on cert request 20210908113309
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'GENERATING_CSR'
2021-09-08T11:33:10Z DEBUG certmonger request is in state 'SUBMITTING'
2021-09-08T11:33:11Z DEBUG certmonger request is in state 'CA_UNREACHABLE'
2021-09-08T11:33:11Z DEBUG Cert request 20210908113310 failed: CA_UNREACHABLE (Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG Giving up on cert request 20210908113310
2021-09-08T11:33:11Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 398, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 342, in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 655, in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 431, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 518, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 515, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 450, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 421, in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 418, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/__init__.py", line 608, in main
replica_install(self)
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated
func(installer)
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1301, in install
install_http(
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 163, in install_http
http.create_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 151, in create_instance
self.start_creation()
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 621, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/httpinstance.py", line 402, in __setup_ssl
certmonger.request_and_wait_for_cert(**args)
File "/usr/lib/python3.9/site-packages/ipalib/install/certmonger.py", line 414, in request_and_wait_for_cert
raise RuntimeError(
2021-09-08T11:33:11Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR Certificate issuance failed (CA_UNREACHABLE: Server at https://idm01.example.com/ipa/json failed request, will retry: 4205 (attribute "entryuuid" not allowed).)
2021-09-08T11:33:11Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Made on a completely fresh deployed VM.
Yours,
Mathias
2 years, 7 months
- 3
- 3